Wednesday, September 26, 2007

Typos in domain names are common tricks used by phishers as well as advertisers to take advantage of users misspelling popular domain names. It's often referred to as domain parking. There's a lot being done to tackle this, from new laws to anti-phishing techniques and the lot.

Something occurred to me recently that made me wonder whether this happens with email addresses at all? Email addresses are often a lot more complicated than domain names. Just think about how often people's names are misspelled. What if someone took a popular email address and registered a common misspelling? What if the contents of an email sent to that incorrect address were confidential? The consequences could be devastating!

This might appear cumbersome, but let me first describe what occurred to me. My Gmail address includes my surname, Gallotta, which is often often misspelled (Galotta, Gallota, etc.). So a few months ago I signed up for various misspellings and set them up to forward to the correct address. By chance I recognised that a recent, very important email was sent to one of these addresses. After noticing, I did a quick search and discovered that a fair number were sent to these misspelled addresses! So this was certainly not a once-off occasion. Even people I communicate with regularly made this mistake.

If I had not set signed up for those accounts it could well have caused a few problems! It wasn't confidential (my response was though!), but what if it was and someone else knew that I was receiving confidential information they wanted to get hold of? What if he had registered the misspelled address himself? Disaster!!

Are their any solutions? Ignoring the case of free email services such as Gmail for a moment, the domain name is the most critical. If the users section of the address is misspelled (the part before the @) then it will stay within the domain and in most cases the damage caused will be negligible. So if the control over registering domains similar to major domains then a large part of the problem will be solved.

For free email services such as Gmail, you could do what I did and register the addresses with possible typos. You won't catch everything and if the address is already taken by someone else there is nothing you can do about it. You might say people shouldn't be sending confidential information over free email services. While this is true to some extent, there are varying levels of confidentiality. Even personal emails can be considered confidential and we don't want to restrict everyone from using such wonderful services. Someone might even do it as a joke and it could end up providing him with emails you would absolutely not want to let him read.

I think this is an issue that deserves further attention. If it has received attention then it sure hasn't been enough as I've never heard of any solutions to this before.